Meraki-FW FW-FW-Security-Event FW-FW-Security-Log <PRIORITY>VERSION TIME GATEWAYIP - - - TIMESTAMP_FW APPLIANCENAME TYPE IDS_EVENT SIGNATURE PRIORITY TIMESTAMP_EPOCH HOST_MAC_SRC DIRECTION PROTOCOL HOST_IP_SRC PORT_SRC HOST_IP_DST PORT_DST MESSAGE FW-FW-Security-Event true <134>1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query filter { grok { match => { 'message' => '<%{POSINT:priority}>%{POSINT:version} %{TIMESTAMP_ISO8601:time} %{IPORHOST:host} %{DATA:pid} %{DATA:errMsg} %{DATA:OID} %{DATA:timestamp_fw} %{DATA:appliancename} %{DATA:type} %{DATA:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} timestamp=%{DATA:timestamp} shost=%{COMMONMAC:shost} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{DATA:src} dst=%{DATA:dst} %{GREEDYDATA:message}'} add_tag => [ "Meraki-FW-Event" ] } if("Meraki-FW-Event" in [tags]){ mutate { remove_field => ['@version','host','path','@message'] add_field => [ 'Event:Event-Name', '%{IDS_Event}' ] add_field => [ 'Event:Timestamp', '%{TIMESTAMP_ISO8601:time}' ] add_field => [ 'Event:Pattern-Name', 'Meraki-FW-Event' ] add_field => [ 'Event:Source-IP-Address', '%{src}' ] add_field => [ 'Event:Destination-IP-Address', '%{dst}' ] add_field => [ 'Event:Protocol', '%{protocol}' ] add_field => [ 'Event:Direction', '%{direction}' ] add_field => [ 'Event:MAC-Address', '%{shost}' ] add_field => [ 'Event:Timestamp-Epoch', '%{timestamp}' ] add_field => [ 'Event:Priority', '%{priority}' ] add_field => [ 'Event:Signature', '%{signature}' ] add_field => [ 'Event:Appliance-Name', '%{appliancename}' ] add_field => [ 'Event:Timestamp-FW', '%{timestamp_fw}' ] add_field => [ 'Event:Message', '%{message}' ] } ruby { code => " data = event.clone.to_hash; data.each do |k,v| if (!k.start_with?('Event:') and !k.start_with?('@')) newFieldName = 'Event:Meraki-FW-Event:'+ k event[newFieldName] = v event.remove(k) end end tstamp = Time.now.to_i tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S') event['Event:Timestamp'] = tstamp_str " } } }